Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Possible SQL Injection when using contains with EF?

I've noticed that when using Contains in EF

.Where(i => myListOfStrings.Contains(i.Value))

The generated SQL looks like this

IN ('Value1', 'Value2')

Since the values are not parameterized, isn't it possible to inject some SQL?

like image 686
gsharp Avatar asked Jun 08 '16 11:06

gsharp


1 Answers

It will not just mindlessly construct IN statement from your Contains. At very least it will escape single quotes (by doubling them). Suppose you want to inject something like "') OR 1=1--" like suggested in comments, assuming that it will be converted to:

where ... IN ('') OR 1 = 1 -- the rest

But because single quotes are escaped that will be:

where ... IN (''') OR 1 = 1 --' -- the rest

So we are safe here, because your whole statement is treated as string.

like image 148
Evk Avatar answered Oct 05 '22 11:10

Evk